CN110636495B - Method for terminal user safety roaming authentication in fog computing system - Google Patents

Method for terminal user safety roaming authentication in fog computing system Download PDF

Info

Publication number
CN110636495B
CN110636495B CN201910861089.3A CN201910861089A CN110636495B CN 110636495 B CN110636495 B CN 110636495B CN 201910861089 A CN201910861089 A CN 201910861089A CN 110636495 B CN110636495 B CN 110636495B
Authority
CN
China
Prior art keywords
authentication
session key
sessionkey
roaming
certificate
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201910861089.3A
Other languages
Chinese (zh)
Other versions
CN110636495A (en
Inventor
曾萍
袁琳
赵耿
马英杰
高原
杨莹
肖钧怡
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hunan Ruiyun Information Technology Co ltd
Original Assignee
BEIJING ELECTRONIC SCIENCE AND TECHNOLOGY INSTITUTE
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by BEIJING ELECTRONIC SCIENCE AND TECHNOLOGY INSTITUTE filed Critical BEIJING ELECTRONIC SCIENCE AND TECHNOLOGY INSTITUTE
Priority to CN201910861089.3A priority Critical patent/CN110636495B/en
Publication of CN110636495A publication Critical patent/CN110636495A/en
Application granted granted Critical
Publication of CN110636495B publication Critical patent/CN110636495B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/12Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • H04W12/069Authentication using certificates or pre-shared keys
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/40Security arrangements using identity modules
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W36/00Hand-off or reselection arrangements
    • H04W36/14Reselecting a network or an air interface
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W36/00Hand-off or reselection arrangements
    • H04W36/16Performing reselection for specific purposes
    • H04W36/18Performing reselection for specific purposes for allowing seamless reselection, e.g. soft reselection

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Health & Medical Sciences (AREA)
  • Computing Systems (AREA)
  • General Health & Medical Sciences (AREA)
  • Medical Informatics (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The invention provides a method for terminal user safety roaming authentication in a fog computing system. When user equipment enters a network in a fog computing environment, initial authentication is firstly carried out, and a roaming certificate is obtained and registered in a home node after authentication of an authentication center and the home node. Then, when the user leaves the home node and enters the remote node, the user provides a roaming application and shows a roaming certificate to the remote node, and if the verification information is legal, the user equipment can roam smoothly. The method provided by the invention supports mobility, and ensures the safety and high availability of the fog computing system through two embodiments combined with the Internet of things communication protocol MQTT and the DDS. The safety of the terminal is ensured through bidirectional authentication; by transferring the management function to the fog node, the roaming authentication does not need to pass through the cloud platform, and the congestion of a network port of the cloud platform is avoided; by establishing the communication link between the fog nodes, repeated authentication can be effectively avoided, and the requirements of lightweight and mobility of the mobile terminal equipment are met.

Description

Method for terminal user safety roaming authentication in fog computing system
Technical Field
The invention relates to the field of security of an internet of things system, in particular to a method for authenticating the identity of a terminal user when the terminal user roams in a fog computing system.
Background
Since the Internet of Things (IoT) concept has been formally proposed by the international telecommunication union in 2005, technologies such as sensor networks, cloud computing, microchips, and the like have been developed and matured, and the industry of the Internet of Things has also rapidly grown. However, the internet of things is still in a growth stage at present, the research on the security of the internet of things is not mature, and even internationally, a uniform security architecture and security key technology of the internet of things are not defined for research organizations or organizations of the internet of things, and a formed commercial security architecture of the internet of things is not provided. Therefore, the security problem of the internet of things is more serious than that of the conventional communication network.
With the rapid development of the internet of things, the number of mobile internet of things devices such as wearable devices and intelligent automobiles increases day by day. The security problem of the internet of things is increasingly appearing and becomes a major bottleneck preventing the wide application of the internet of things. The existing problems of the internet of things are two points: the method has the advantages that firstly, the network data are processed in a centralized mode, a large amount of data are collected to the cloud computing platform and the data center, so that small burden is brought to a network I/O port of the data center, and packet loss or even paralysis can be caused seriously; secondly, the time delay is too long, and the data packet can pass through the waiting and forwarding time delays of a plurality of switching devices before reaching the data center under the centralized processing environment, which cannot be tolerated in the time delay sensitive car networking and industrial production industries.
Fog computing is a novel computing mode, is an extension of cloud computing, and can provide partial service functions of a cloud computing platform for end users locally. The load of computing, storing and transmitting of the cloud platform can be reduced, the waiting time delay of a terminal user can be reduced, and the method is effective bearing of the Internet of things. Therefore, the research on the Internet of things safety access control technology based on the fog calculation has certain theoretical significance and practical application value.
In order to prevent access of illegal equipment in the environment of the internet of things, a corresponding authentication mechanism needs to be established, and the adoption of the traditional authentication mechanism for a large-scale deployed fog computing network has certain difficulty.
(1) The authentication overhead is large. For some sensors and low-cost devices deployed in large scale, the computing storage capacity of such devices is limited, the existing authentication mechanism is more expensive, the traditional schemes of certificate verification and the like are usually more computationally intensive, the number of interactions is large and cannot be deployed on these low-cost devices, so it is first necessary to reduce the computation and storage overhead in the authentication process in order to facilitate the deployment of the scheme.
(2) Fog computing environments have poor mobility support. The existing fog computing environment lacks the research on mobility, the reuse degree of the fog computing nodes is low, and the waste of resources is easily caused. And putting all mobile device management work on the cloud platform can increase the management cost of the network, and a large number of authentication requests can block the network I/O interface of the cloud platform. In this case, a part of the management function may be put down in the cloud computing node to reduce the burden on the cloud platform.
In a communication network formed by mobile devices, the interaction between people and the devices is not only carried out, but also the automatic interaction between the devices exists. At the same time, mobile devices frequently move from one network to another. Therefore, how to perform effective security authentication and authority granting on the mobile device in a cross-domain mode is a big difficulty in the current security design of the internet of things. When the terminal device moves out of the management domain of the current fog node to reach the management domain of another fog node, the terminal device needs to exit the network and then perform authentication once, which is a huge calculation burden for the terminal aiming at light weight. And the repeated authentication work of a large number of mobile terminals is a waste of resources for the computing power of the authentication center.
Therefore, an authentication scheme supporting mobility is urgently needed to be proposed to ensure seamless handover of the fog node; reducing the requirements on access equipment; the time delay of the terminal equipment accessing the network is reduced, the calculation burden of the authentication center is reduced, and the waste of resources is reduced. When the terminal equipment is accessed to the fog nodes, repeated safety certification of the fog nodes in different areas on the same terminal equipment access network can be effectively reduced, and further the calculation expense of the terminal equipment is saved.
Disclosure of Invention
On the basis of researching the existing safe access control scheme of the Internet of things, the invention provides a quick and safe roaming authentication protocol supporting terminal mobility by utilizing a fog computing architecture. The problem of repeated authentication caused by the fact that the terminal accesses the cloud platform for multiple times is solved. The communication link established between the fog nodes is utilized to enhance the intercommunity between the nodes, so that the roaming authentication does not need to pass through a cloud platform, the congestion of a network port of the cloud platform caused by a large amount of management operation data is avoided, and the network deterioration is avoided. The interaction times of the public key and the initial authentication are reduced, the roaming authentication time is reduced, and the efficient management of the network to the terminal is improved. The problem of access authentication of the Internet of things on the terminal equipment is solved to a certain extent, and the safety of the system is improved.
The invention implements a safe roaming authentication scheme based on a three-layer architecture of fog computing. The cloud computing three-layer architecture comprises a cloud platform, an authentication center, a home node, a remote node and an end user. Each section is defined as follows:
a certification Center (CA). The authentication center stores the registration information of the user and the nodes and completes the identity verification of the user and each node.
A home node (HA). The node where the user initially accesses the network is registered as the home node.
A remote node (FA). When the user moves away from the current node and the node acquiring the service is the remote node.
An end user (MU). The terminal equipment comprises various types, such as a smart phone, a pad, a notebook computer, a vehicle-mounted intelligent device and the like. These end users have a high requirement for mobility, and therefore the time consumption of the secure roaming authentication protocol is short enough to ensure that the roaming authentication can be updated in time as the end user moves.
The process of the invention is as follows: when user equipment enters a network in a fog computing environment, initial authentication is firstly carried out, and a roaming certificate is obtained and registered in a home node after authentication of an authentication center and the home node. Then, when the user leaves the home node and enters the remote node, the user submits a roaming application and presents a roaming certificate to the remote node, the remote node returns registration information of the home node confirmation equipment and checks the legality of the roaming certificate, and if the information is legal, the user equipment can roam smoothly.
An interaction diagram of the secure roaming authentication scheme described in the present invention is shown in fig. 1.
The invention aims to realize the safe roaming authentication when the terminal user is switched between the fog nodes, and the schematic diagram of a safe roaming authentication model is shown in figure 2. The safe roaming authentication described in the invention includes three parts: system initialization, initial authentication and roaming authentication.
The method comprises the following steps:
and (5) initializing the system.
(1) The authentication center CA generates system parameters, selects a large prime number q, and a multiplication cycle group G0 of order q. And selecting a generator G from G0, and selecting a large random number SK _ CA as a private key of the authentication center.
(2) Calculate PK _ CA = SK _ CA × g, resulting in the public key PK _ CA.
2. And the MU of the terminal user puts forward an access authentication application to the HA. The MU selects the random number R _ MU _1 and calculates S = R _ MU _1*g.
3. The MU sends the identity information for authentication to the HA. The MU selects a random number R _ MU _2, encrypts S | | | RMU _2 with a master key mk _ MU to obtain E (mk _ MU, S | | R _ MU _2| | | T1) and sends the E and the MU _ ID to the HA. Where "|" represents concatenation, T1 represents a timestamp.
4. The HA forwards the received authentication information of the MU, and simultaneously sends identity information Cert _ HA of the HA to the CA. The HA sends its own certificate Cert _ HA to the CA together with MU _ ID | | | E (mk _ MU, S | | | R _ MU _2| | T1).
5. After the CA receives the information, it verifies the legitimacy of the certificate Cert _ HA.
6. The CA looks up the user' S master key mk _ MU through the MU _ ID and decrypts E (mk _ MU, S | | R _ MU _2| | | T1) with the mk _ MU. CA selects a random number R _ CA, calculates R = (SK _ CA + R _ CA) × R _ MU _2 and T = S + R _ CA × R _ MU _2*g.
7. The method comprises the steps that a CA firstly generates a session key SessionKey of an MU and an HA, then the MU roams to other FAs and uses the session key, then the CA encrypts R | | T | | SessionKey by mf _ MU to obtain E (mk _ MU, R | | T | SessionKey), encrypts SessionKey and S by using public key PK _ HA of the HA to obtain E _ PK _ HA (SessionKey | | | S), and simultaneously generates a roaming certificate Cert (MU _ ID | | | HA _ ID | | | | TS | | | | | | | | | | TE) to register the HA as a home node of the MU, wherein TS and TE mark effective time of the certificate.
8. The CA sends E (mk _ MU, R | | T | | | SessionKey) and E _ PK _ HA (SessionKey | | | S) and the roaming certificate to the HA.
9. The HA first decrypts E _ PK _ HA (SessionKey | | | S) to obtain a session key and S, and then calculates E (SessionKey, S)
10. The HA transmits E (mk _ MU, R | | T | | SessionKey) | Cert (MU _ ID | | | HA _ ID | | TS | | | TE) | E (SessionKey, S) to the user MU.
11. The MU decrypts E (mk _ MU, R | | T | | Session Key) to obtain R and T, and calculates S + R × g and R _ MU _2 PK_CA + T. And comparing whether the two are equal, if so, indicating that the session key is generated by the CA, then decrypting E (mk _ MU, R | | | T | | | Session Key) to obtain the session key, decrypting E (Session Key, S) by using the session key to obtain S, and if so, indicating that the HA is safe.
12. The MU sends the roaming credential and E (SessionKey, S | | | FA _ ID | | | T) to the remote node FA, where T is the timestamp.
13. The FA sends its certificate and roaming certificate and E (SessionKey, S | | FA _ ID | | T) to the HA indicated in the certificate.
14. HA checks roaming certificate and retrieves corresponding sessionKey and then decrypts E (sessionKey, S | | | FA _ ID | | T)
(1) The validity of the roaming credential is confirmed.
(2) Confirming that the MU is to establish a connection with the FA.
15. The HA encrypts the session key SessionKey with the public key PK _ FA of the FA, and transmits E (PK _ FA, sessionKey) to the FA.
16. The FA decrypts the E (PK _ FA, session Key) to obtain the Session Key, and encrypts FA _ ID | | | T by the Session Key, wherein T is a timestamp.
17. The MU checks whether the encrypted content is correct, and if so, the authentication is passed.
In the method, the flow of the main steps describes that the mobile terminal user initially accesses the fog computing network environment, and when the mobile terminal user is in the fog computing network environment and needs to move to the next fog node, the safe roaming authentication method is also applicable.
The method can utilize the encryption and decryption algorithm in the existing mobile communication system by the symmetric encryption and decryption algorithm and the public-private key system encryption and decryption algorithm, and can also newly provide an algorithm.
According to the method, the flow description of the main steps is based on the manually-built OpenStack cloud platform, and in practical application, the secure roaming authentication method is also applicable to other cloud platforms which can provide a computing function, a storage function and a network function.
In future fog computing and mobile edge computing environments, a large number of mobile devices will access network acquisition services. However, the existing fog computing can not provide mobility support, and the mobility flexibility of the user in the existing fog computing three-layer model is not enough, so that the user equipment has difficulty in moving. The user equipment can only authenticate when entering the network, and cannot update own location information with the home server like mobile communication. When the user needs to move and roam, the user can only exit the existing node and then access another node for authentication, so that the burden of an authentication center is increased invisibly, and meanwhile, the service life of user equipment is greatly shortened by repeatedly entering a local network. The present invention solves the above problems well.
According to the invention, when the terminal equipment is accessed to the network through a certain fog node for the first time, the transmission of terminal authentication information can be realized by the adjacent fog node and the fog node through a safe roaming authentication protocol, and man-in-the-middle attack can be resisted; therefore, when the terminal roams, seamless switching service can be provided between the fog nodes, and the real-time performance of data transmission is realized. The safety and the mobility of the terminal are ensured; and malicious attacks are prevented, and the confidentiality and the integrity of data transmission are realized.
Drawings
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention will be further described in detail with reference to the accompanying drawings:
FIG. 1 is a schematic diagram of a secure roaming authentication scheme interaction;
FIG. 2 is a diagram of a secure roaming authentication model;
FIG. 3 is an operation mode of MQTT communication protocol;
FIG. 4 is a flow chart of Qos2 QoS level of MQTT;
fig. 5 is a flowchart of a system for issuing real-time location information based on Qos2 quality of service level in MQTT communication protocol according to a secure roaming authentication method in a fog computing system in an embodiment of the present invention;
FIG. 6 is a schematic diagram of an initial authentication interaction;
FIG. 7 is a diagram of the results of a successful execution of the initial authentication protocol;
FIG. 8 is a diagram illustrating a roaming authentication interaction;
FIG. 9 is a diagram illustrating the success of performing a roaming authentication protocol;
FIG. 10 is a diagram of a model architecture of the auto discovery mechanism of the DDS;
fig. 11 shows the operation mode of the DDS;
fig. 12 is a flowchart of a system for issuing real-time location information based on a DDS communication protocol according to a secure roaming authentication method in a fog computing system in an embodiment of the invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more clearly apparent, embodiments of the present invention will be described in detail below with reference to the accompanying drawings and examples, so that how to apply technical means to solve technical problems and achieve the technical effects can be fully understood and implemented. It should be noted that all technical solutions formed according to the present invention are within the protection scope of the present invention.
The invention can be applied in a wide range of scenes, and only the application examples applied to the monitoring and real-time release of the road condition information are considered. In order to clearly show the technical scheme of the invention, the following application examples are illustrated:
the first embodiment:
in a first embodiment, the present invention analyzes a one-to-many message publishing pattern in an MQTT (message queue telemetry transport) based internet of things communication protocol. As shown in fig. 3, the MQTT communication protocol is an operating mode. The MQTT protocol employs a lightweight publish and subscribe messaging mode through a message broker (specifically a cloud platform in this example). In the application example, all the user terminals MU of the Internet of things successfully access the fog node HA through access authentication, and the HA provides services; and the end user MU successfully accesses the fog node FA after the safe roaming authentication, and the FA provides service. The cloud platform manages the position information of each terminal in a theme mode, and is responsible for issuing the position information of the terminal MU to other terminal users and processing and issuing the position information of other terminal users to the terminal MU. As shown in fig. 4, it is a flow chart of Qos2 service quality level (accurate one-time delivery message mode) of MQTT, and under Qos2, it can be ensured that location information of each terminal user is uploaded to the cloud platform in real time, and is published to all other terminal users by the cloud platform; meanwhile, the mobile phone APP of the MU can update the position information of all the terminal users in time.
Fig. 5 is a flowchart of a system for issuing real-time location information based on Qos2 quality of service level of MQTT communication protocol according to a secure roaming authentication method in a fog computing system in an embodiment of the present invention, which may be taken as a first embodiment of the present invention.
Step 1, the MU of the mobile terminal user requests to connect the server through the APP of the mobile phone, the GPS and the time of the terminal user are collected and then sent to the server for displaying, and meanwhile, the GPS and the time are stored in the Mysql database.
And 2, the protocol written by the terminal safety roaming authentication scheme is realized by writing C language by Visual Studio.
The invention relates to a method for mobile terminal safety roaming authentication in a fog computing system, which is provided based on a safety roaming authentication scheme and comprises three parts: system initialization, initial authentication and roaming authentication. The programmed implementation of the secure roaming authentication scheme is based on the three parts described above.
And 2a, initializing the system.
(1) The authentication center CA generates system parameters, selects a large prime number q, and a multiplication cycle group G0 of order q. And selecting a generator G from G0, and selecting a large random number SK _ CA as a private key of the authentication center.
(2) Calculate PK _ CA = SK _ CA × g, resulting in the public key PK _ CA.
And 2b, initial authentication. The interaction diagram is shown in fig. 6.
In the protocol, each user has a unique identity id i ,i∈[1,N]And N represents the total number of users. The user stores its own MU _ ID and a master key mk _ MU shared with the authentication center, which stores the identities of all users and the master key. The method of initial authentication is as follows:
(1) The user MU enters the network for the first time and provides an application for accessing the fog node to the fog node HA. The MU selects the random number R _ MU _1 and calculates S = R _ MU _1*g.
(2) And the MU sends the identity information for authentication to the HA. The MU selects a random number R _ MU _2, encrypts S | | | R _ MU _2 with a master key mk _ MU to obtain E (mk _ MU, S | | R _ MU _2| | | T1) and sends the E and the MU _ ID to the HA. Where "|" represents concatenation, T1 represents a timestamp.
(3) The HA forwards the application information from the MU to the CA, and simultaneously sends the identity information Cert _ HA of the HA to the CA. The HA sends its own certificate Cert _ HA to the CA together with MU _ ID | | | E (mk _ MU, S | | | R _ MU _2| | T1).
(4) After the CA receives the information, it authenticates the legitimacy of the certificate Cert _ HA.
(5) The CA looks up the user' S master key mk _ MU through the MU _ ID and decrypts E (mk _ MU, S | | R _ MU _2| | | T1) with the mk _ MU.
(6) CA selects a random number R _ CA, calculates R = (SK _ CA + R _ CA) × R _ MU _2 and T = S + R _ CA × R _ MU _2*g.
(7) The CA first generates a session key Session Key of the MU and the HA, then the MU roams to other FAs and uses the session key, and then the CA encrypts R | | | T | | Session Key by utilizing mk _ MU to obtain E (mk _ MU, R | | | T | | | Session Key). The CA adds the Session Key and the S to the public key PK _ HA of the HA to obtain E _ PK _ HA (Session Key | | S), and simultaneously generates a roaming certificate Cert (MU _ ID | | HA _ ID | | | TS | | | TE) to register the HA as a home node of the MU, wherein the TS and the TE are effective time of the certificate marked by a timestamp. Finally, the CA sends E (mk _ MU, R | | | T | | | SessionKey) and E _ PK _ HA (SessionKey) and the roaming certificate to the HA.
(8) The HA first decrypts E _ PK _ HA (Session Key | | | S) to obtain a session key and S, then calculates E (Session Key, S), and finally decrypts E (mk _ MU, R | | | T | | | Session Key) | Cert (MU _ ID | | HA _ ID | | TS | | TE) | | O
E (SessionKey, S) is passed to the user MU.
(9) The MU decrypts E (mk _ MU, R | | T | | Session Key) to obtain R and T, and calculates S + R × g and R _ MU _2 PK_CA + T. And comparing whether the two are equal, if so, indicating that the session key is generated by the CA, then decrypting E (mk _ MU, R | | | T | | | Session Key) to obtain the session key, decrypting E (Session Key, S) by using the session key to obtain S, and if so, indicating that the HA is safe. The initial authentication protocol was programmed in the VisualStudio and the results of successful authentication are shown in fig. 7. And (5) obtaining a conclusion after comparison and verification: the HA is secure. And the MU establishes the trusted connection with the HA, namely the initial authentication is successful.
And step 2c, when the MU roams to the range of the remote node FA, executing a roaming authentication protocol. The roaming authentication interaction diagram is shown in fig. 8.
(1) The MU sends a roaming certificate and E (SessionKey, S | | | FA _ ID | | | T) to the remote node FA, and a roaming authentication application is initiated, wherein T is a timestamp.
(2) The FA sends its certificate and roaming certificate and E (SessionKey, S | | FA _ ID | | T) to the HA indicated in the certificate.
(3) The HA checks the roaming certificate to retrieve a corresponding SessionKey, then decrypts the E (SessionKey, S | | FA _ ID | | | T), firstly checks whether the timestamp is expired, then checks whether the S is equal to the S sent by the previous user, if so, indicates that the MU really needs to establish connection with the FA, and encrypts the SessionKey by using the public key PK _ FA of the FA and sends the SessionKey to the FA.
(4) The FA decrypts the E (PK _ FA, session Key) to obtain the Session Key, and encrypts FA _ ID | | | T by the Session Key, wherein T is a timestamp.
(5) The FA sends the E (Session Key, FA _ ID | | | T) to the user MU, the MU checks whether the encrypted content is correct, and if the encrypted content is correct, the authentication is passed. The roaming authentication protocol is programmed in the VisualStudio, and the result of successful authentication is shown in fig. 7.
And 3, judging the position of the MU, and determining to execute an initial authentication protocol (corresponding to steps 1-11 in the method) or a roaming authentication protocol (corresponding to steps 12-17 in the method). And further determines that the serving fog node is an HA or an FA.
And 4, uploading the GPS information of the MU to a cloud platform in real time by the MU terminal through the fog node HA or FA based on the MQTT communication protocol. The example completes uploading and publishing functions by means of the OpenStack cloud platform.
And 5, the cloud platform issues the GPS information of the MU to mobile phone APPs of all other terminal users, and real-time updating is guaranteed through Qos2 service quality level.
And 6, finishing the real-time release of the road condition information.
Second embodiment:
in a second embodiment, the present invention analyzes a published/subscribed data distribution service specification in an internet of things communication protocol, DDS, (data distribution service based). The core technology of the DDS is an automatic discovery mechanism, and the model structure is shown in fig. 10, which is a precondition for interactive communication between nodes in the internet of things. When nodes join or leave the system, the automatic discovery mechanism automatically informs each node of the change of node information in the system in some way. The automatic discovery mechanism mainly works before each node transmits data messages and provides high-security data communication services.
As shown in fig. 11, the operation mode of the DDS is shown. The DDS protocol is the core of a real-time network infrastructure, and compared with the MQTT protocol, the DDS protocol has the most remarkable advantages of supporting high real-time performance and being more suitable for the fundamental requirement of real-time performance of road condition information. The DDS can effectively control and manage the use of resources such as network bandwidth, memory space and the like, and can control the reliability, real-time performance and survival time of data, and by flexibly using the service quality strategies, the DDS can develop a data distribution system meeting the real-time requirement not only in a narrow-band wireless environment but also in a broadband wired communication environment.
Fig. 12 is a system flowchart illustrating a method for secure roaming authentication in a fog computing system based on DDS communication protocol to issue real-time location information according to a second embodiment of the present invention. Wherein, steps 1 to 3 are the same as those of the first embodiment of the present invention, and are not described herein again. Through the safe roaming authentication method, the service provided by the fog node HA or FA is determined.
And 4, uploading the GPS information of the MU to a cloud platform by the MU terminal through the fog node HA or FA in real time based on the DDS communication protocol. The example completes uploading and publishing functions by means of the OpenStack cloud platform.
And 5, the cloud platform calculates and processes the GPS information sent by each terminal user, sends all the GPS information to the mobile phone APP of each terminal user, and guarantees the reliability and real-time updating of data transmission through a series of service quality. For example, real-time performance of data transmission is guaranteed through the Deadline QoS, and reliability of data transmission is guaranteed through the reliability QoS.
And 6, finishing the real-time release of the road condition information.
It should be noted that the examples are mainly used to prove the feasibility of the method for the end user secure roaming authentication in the fog computing system. The cloud platform in the example serves only data storage and computing functions. Thus transmitted to the other users is the real-time location information of the particular mobile terminal user MU. The method is based on cloud platforms with abundant resources and powerful functions, such as Ali cloud, qingke cloud, oneNet and the like, position information uploaded by each mobile terminal user can be summarized and calculated, and road condition information at the moment can be accurately obtained by means of a big data analysis and comparison method. And then the traffic information of the road condition is issued to each terminal user in real time, so that the MU can know the passing or traffic jam condition of a certain road section.
The above description is only a preferred embodiment of the present invention and is not intended to limit the present invention, and those skilled in the art can make various changes and modifications without departing from the spirit and scope of the present invention. It is intended that the present invention cover the modifications and variations of this invention provided they come within the scope of the appended claims and their equivalents.
In application scenarios of internet of things and fog computing, due to the limited resources such as storage capacity and computing capacity of mobile devices and the limited bandwidth and stability of networks, high security and high availability are difficult to balance. The two preferred embodiments of the invention combine a safe roaming authentication method in the fog computing system with MQTT and DDS Internet of things communication protocols, and further confirm the uniqueness and legality of the terminal equipment user requesting to join the network on the basis of protocol authority verification and access authority filtering authorization; the combination of the bidirectional authentication between the terminal equipment and the fog node and the identity authentication of the credible authentication center on the fog node and the terminal equipment ensures the security of the terminal added into the system and enhances the stability of the system. Meanwhile, the innovation of the invention is that the traditional fog computing environment support equipment has poor mobility and higher authentication overhead, and cannot well meet the inherent requirements of lightweight and mobility of mobile terminal equipment. The two preferred embodiments of the invention transfer the management function to the fog node, thus reducing the burden of the cloud platform and preventing a large number of authentication requests from blocking the I/O interface of the cloud platform network. The times of repeated authentication between the mobile terminal and different fog nodes are reduced, the requirements of calculation and storage of the terminal equipment are reduced, the method and the device enhance the mobility of the terminal, ensure the realization of the functions of subscribing/publishing the position information and updating the position information in real time of the terminal user, and ensure the high availability of the fog computing system.

Claims (1)

1. A method for terminal user safety roaming authentication in a fog computing system is characterized by comprising the following steps:
step 1, system initialization:
(1) The authentication center CA generates system parameters, selects a large prime number q and a multiplication cyclic group G0 with the order of q, selects a generator G from the G0, and selects a large random number SK _ CA as a private key of the authentication center CA;
(2) Calculating PK _ CA = SK _ CA × g to obtain a public key PK _ CA;
step 2, the terminal user MU provides an access authentication application to the fog node HA: the MU selects a random number R _ MU _1, and calculates S = R _ MU _1*g;
step 3, the MU sends the identity information used for authentication to the HA: the MU selects a random number R _ MU _2, S | | | R _ MU _2 is encrypted by a master key mk _ MU to obtain E (mk _ MU, S | | R _ MU _2| | | T1) and the E and the MU _ ID are sent to the HA together, wherein, | | "represents cascade connection, and T1 represents a timestamp;
step 4, the HA forwards the received authentication information of the MU, and simultaneously sends identity information Cert _ HA of the HA to the CA, and the HA sends the certificate Cert _ HA of the HA and MU _ ID | | E (mk _ MU, S | | | R _ MU _2| | T1) of the HA to the CA;
step 5, after receiving the information, CA verifies the validity of certificate Cert _ HA;
step 6, the CA searches for the master key mk _ MU of the user through the MU _ ID, decrypts the E (mk _ MU, S | | | R _ MU _2| | T1) by means of the mk _ MU, selects a random number R _ CA, and calculates R = (SK _ CA + R _ CA) × R _ MU _2 and T = S + R _ CA | -R _ MU _2*g;
step 7, the CA firstly generates a session key Session Key of the MU and the HA, then the MU roams to other FAs and uses the session key, and then the CA encrypts R | | | T | | | Session Key by utilizing mk _ MU to obtain E (mk _ MU, R | | | T | | Session Key); the CA encrypts the Session Key and the S by the public key PK _ HA of the HA to obtain E _ PK _ HA (Session Key | | S), and simultaneously generates a roaming certificate Cert (MU _ ID | | HA _ ID | | | TS | | | TE) to register the HA as a home node of the MU, wherein the TS and the TE are effective time of the certificate marked by a timestamp;
step 8, the CA sends E (mk _ MU, R | | | T | | | Session Key) and E _ PK _ HA (Session Key | | | S) and roaming certificate to HA;
step 9, the HA first decrypts E _ PK _ HA (SessionKey | | | S) to obtain a session key and S, and then calculates E (SessionKey, S);
step 10, the HA transmits E (mk _ MU, R | | T | | SessionKey) | Cert (MU _ ID | | HA _ ID | | TS | | TE) | E (SessionKey, S) to the user MU;
step 11, the MU decrypts E (mk _ MU, R | | T | | | SessionKey) to obtain R and T, calculates S + R × g and R _ MU _2 × pk _ca +t, compares whether the two are equal, if equal, indicates that the session key is indeed generated by CA, then decrypts E (mk _ MU, R | | | T | | SessionKey) to obtain the session key, decrypts E (SessionKey, S) by using the session key to obtain S, and if equal to the previously sent S, indicates that HA is safe;
step 12, the MU sends a roaming certificate and E (SessionKey, S | | | FA _ ID | | | T) to the remote node FA, where T is a timestamp;
step 13, the FA sends its own certificate, roaming certificate and E (SessionKey, S | | | FA _ ID | | T) to the HA indicated in the certificate;
step 14, the HA checks the roaming certificate and retrieves the corresponding SessionKey, and then decrypts E (SessionKey, S | | FA _ ID | | T):
(1) Confirming the validity of the roaming certificate;
(2) Confirming that the MU is to establish a connection with the FA;
step 15, the HA encrypts a session key SessionKey by using a public key PK _ FA of the FA, and sends E (PK _ FA, sessionKey) to the FA;
step 16, the FA decrypts the E (PK _ FA, session Key) to obtain the Session Key, and the FA encrypts FA _ ID | | T by using the Session Key, wherein T is a timestamp;
and step 17, the MU checks whether the encrypted content is correct, and if so, the authentication is passed.
CN201910861089.3A 2019-09-12 2019-09-12 Method for terminal user safety roaming authentication in fog computing system Active CN110636495B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910861089.3A CN110636495B (en) 2019-09-12 2019-09-12 Method for terminal user safety roaming authentication in fog computing system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910861089.3A CN110636495B (en) 2019-09-12 2019-09-12 Method for terminal user safety roaming authentication in fog computing system

Publications (2)

Publication Number Publication Date
CN110636495A CN110636495A (en) 2019-12-31
CN110636495B true CN110636495B (en) 2023-02-10

Family

ID=68972162

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910861089.3A Active CN110636495B (en) 2019-09-12 2019-09-12 Method for terminal user safety roaming authentication in fog computing system

Country Status (1)

Country Link
CN (1) CN110636495B (en)

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111314348B (en) * 2020-02-19 2022-07-12 中国联合网络通信集团有限公司 Method and device for establishing trust degree model, trust evaluation and equipment authentication
CN112769568B (en) * 2021-01-29 2022-07-22 华中师范大学 Security authentication communication system and method in fog computing environment and Internet of things equipment
CN113364849B (en) * 2021-06-01 2022-09-27 南京臻融科技有限公司 DDS-based cross-wide area network dual-roaming data transmission method, system and storage medium
CN114124548B (en) * 2021-11-26 2024-01-26 中通服咨询设计研究院有限公司 Data cross-domain flow security method based on edge calculation
CN115694979A (en) * 2022-10-28 2023-02-03 重庆长安汽车股份有限公司 Method, device, equipment, medium and program for accessing MQTT (Multi-query Log) by vehicle-mounted terminal

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107360567A (en) * 2017-08-17 2017-11-17 西南交通大学 Identity-based without to wireless network it is cross-domain switching certification cryptographic key negotiation method

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107360567A (en) * 2017-08-17 2017-11-17 西南交通大学 Identity-based without to wireless network it is cross-domain switching certification cryptographic key negotiation method

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
一种轻量级的雾计算属性基外包加密算法;曾萍等;《计算机应用研究》;20181212;全文 *
基于雾计算的物联网安全接入控制研究;钱进;《中国优秀博硕士学位论文全文数据库(硕士) 信息科技辑》;20200215;第四章 *

Also Published As

Publication number Publication date
CN110636495A (en) 2019-12-31

Similar Documents

Publication Publication Date Title
CN110636495B (en) Method for terminal user safety roaming authentication in fog computing system
Kang et al. Privacy-preserved pseudonym scheme for fog computing supported internet of vehicles
US11509644B2 (en) Establishing connections between IOT devices using authentication tokens
CN110474875B (en) Discovery method and device based on service architecture
CN102111766B (en) Network accessing method, device and system
CN101356759A (en) Token-based distributed generation of security keying material
CN110035037B (en) Security authentication method, related equipment and system
CN108012267A (en) A kind of method for network authorization, relevant device and system
CN112243235B (en) Group access authentication and switching authentication method suitable for world integration and application
US20160036794A1 (en) Determining whether to use a local authentication server
CN108683690B (en) Authentication method, user equipment, authentication device, authentication server and storage medium
JP2013527673A (en) Method and apparatus for authenticating a communication device
CN112564775B (en) Spatial information network access control system and authentication method based on block chain
KR20110021945A (en) A method, apparatus, system and server for network authentication
CN113965925B (en) Dynamic authentication method, device, equipment and readable storage medium
CN112769568B (en) Security authentication communication system and method in fog computing environment and Internet of things equipment
Liu et al. A secure and efficient authentication protocol for satellite-terrestrial networks
US11924639B2 (en) Revoking credentials after service access
CN116321147A (en) Zero trust-based multi-attribute terminal identity authentication method and system
CN115396887A (en) Rapid and safe switching authentication method, device and system for high-speed mobile terminal
CN108599968B (en) Information broadcasting method for urban Internet of things
CN114070597A (en) Cross-network authentication method and device for private network
JPWO2019054372A1 (en) Data transfer system and data transfer method
US20230396602A1 (en) Service authorization method and system, and communication apparatus
WO2021002180A1 (en) Relay method, relay system, and relay program

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
TR01 Transfer of patent right

Effective date of registration: 20240124

Address after: Room 12002-05, Building B, Lugu Information Port, No. 658 Lugu Avenue, High tech Development Zone, Changsha City, Hunan Province, 410221

Patentee after: Hunan Ruiyun Information Technology Co.,Ltd.

Country or region after: China

Address before: 100070 Beijing city Fengtai District Fung Fu Road No. 7

Patentee before: BEIJING ELECTRONIC SCIENCE AND TECHNOLOGY INSTITUTE

Country or region before: China

TR01 Transfer of patent right